Navigate

CCI-003861

CCI-003861 Definition

Assess the controls in the systems and its environment of operation on an organization-defined frequency, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the privacy requirements.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - controls are assessed in the system and its environment of operation [CA-02_ODP[01]; the frequency at which to assess controls in the system and its environment of operation is defined] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements. - controls are assessed in the system and its environment of operation [CA-02_ODP[01]; the frequency at which to assess controls in the system and its environment of operation is defined] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements.

Validation Procedures

Examine: [SELECT FROM: Assessment, authorization, and monitoring policy; procedures addressing assessment planning; procedures addressing control assessments; control assessment plan; control assessment report; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with control assessment responsibilities; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003861.

Control	Description
CA-2	a: Select the appropriate assessor or assessment team for the type of assessment to be conducted; b: Develop a control assessment plan that describes the scope of the assessment including: 1: Controls and control enhancements under assessment; 2: Assessment procedures to be used to determine control effectiveness; and 3: Assessment environment, assessment team, and assessment roles and responsibilities; c: Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; d: Assess the controls in the system and its environment of operation [the frequency at which to assess controls in the system and its environment of operation is defined;] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; e: Produce a control assessment report that document the results of the assessment; and f: Provide the results of the control assessment to [individuals or roles to whom control assessment results are to be provided are defined;].

Control

Description

CA-2

a: Select the appropriate assessor or assessment team for the type of assessment to be conducted;

b: Develop a control assessment plan that describes the scope of the assessment including:
- 1: Controls and control enhancements under assessment;
- 2: Assessment procedures to be used to determine control effectiveness; and
- 3: Assessment environment, assessment team, and assessment roles and responsibilities;

c: Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;

d: Assess the controls in the system and its environment of operation [the frequency at which to assess controls in the system and its environment of operation is defined;] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;

e: Produce a control assessment report that document the results of the assessment; and

f: Provide the results of the control assessment to [individuals or roles to whom control assessment results are to be provided are defined;].